Hi, I've never used OVH. How certain are you that the e1000 network driver is the correct one? Under VMWare/ESX the network driver choice can be crucial, for example.
On Wed, Aug 29, 2018 at 6:30 AM Kevin DAGNEAUX <kevin.dagne...@fiitelcom.fr> wrote: > Hi, > > I've a server in OVH datacenter, on this server i've 7 VMs, on 1 of them > in run Apache. > To debug a slow upload (who was ~2Mo/s instead 12Mo/s) i've installed an > HTML5/PHP speed test application. > When i use this app, i've no problem in general, but, when a make a speed > test from a source who have more bandwith than the server (the server is > limited at 100Mb/s by OVH and i make the test from a 4G+ network where i've > ~150Mb/s of bandwith), in this case, the DOM0 lost his network connection > (like the ethernet cable is unplugged) until i reboot the server. > > When i check the syslog of DOM0, i see that iptables drop incomming packet > on port 80 instead of routing them to the VM. > > This is my iptables script i use on DOM0 : > > #!/bin/bash > > IPT="/sbin/iptables" > > > ########################################################################################### > # Filter > > ## Remise par defaut des regles > $IPT -t filter -P INPUT ACCEPT > $IPT -t filter -P FORWARD ACCEPT > $IPT -t filter -P OUTPUT ACCEPT > > ## On purge les tables > $IPT -t filter -F > > ## On autorise lo > $IPT -t filter -A INPUT -i lo -j ACCEPT > > ## On ouvre les ports nécéssaires au DOM0 > $IPT -t filter -A INPUT -m tcp -p tcp --dport 22 -j > ACCEPT ## SSH > $IPT -t filter -A INPUT -m udp -p udp --dport 53 -j > ACCEPT ## DNS > $IPT -t filter -A INPUT -m icmp -p icmp --icmp-type 8 -j > ACCEPT ## Ping > $IPT -t filter -A INPUT -s 10.0.0.0/24 -j ACCEPT > > ## On accepte si la connexion est déjà établie > $IPT -t filter -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT > > ## On log ce qui n'a pas été matché par les règles précédente > $IPT -A INPUT -p tcp -j LOG --log-prefix "DROPED packets " > > ## On bloque tout le reste > $IPT -t filter -P INPUT DROP > > > ############################################################################################ > # Nat > > ## Remise par defaut des regles > $IPT -t nat -P PREROUTING ACCEPT > $IPT -t nat -P POSTROUTING ACCEPT > $IPT -t nat -P INPUT ACCEPT > $IPT -t nat -P OUTPUT ACCEPT > > ## On purge > $IPT -t nat -F > > ### Routage des ports entrants pour la VM "mails" > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 22030 -j DNAT --to > 10.0.0.30:22 ## SSH > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 25 -j DNAT --to > 10.0.0.30:25 ## SMTP > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 587 -j DNAT --to > 10.0.0.30:587 ## SMTP SUBMISSION > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 465 -j DNAT --to > 10.0.0.30:465 ## SMTP SSL > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 143 -j DNAT --to > 10.0.0.30:143 ## IMAP > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 993 -j DNAT --to > 10.0.0.30:993 ## IMAP SSL > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 9930 -j DNAT --to > 10.0.0.30:9930 ## IMAP SSL > > ### Routage des ports entrants pour la VM "sql" > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 22020 -j DNAT --to > 10.0.0.20:22 ## SSH > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 3306 -j DNAT --to > 10.0.0.20:3306 ## MariaDB > > ### Routage des ports entrants pour la VM "files" > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 22010 -j DNAT --to > 10.0.0.10:22 ## SSH > > ### Routage des ports entrant pour la VM "web" > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 22040 -j DNAT --to > 10.0.0.40:22 ## SSH > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 80 -j DNAT --to > 10.0.0.40:80 ## HTTP > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 443 -j DNAT --to > 10.0.0.40:443 ## HTTPS > > ### Routage des ports entrants pour la VM "monitor" > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 22050 -j DNAT --to > 10.0.0.50:22 ## SSH > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 850 -j DNAT --to > 10.0.0.50:80 ## HTTP > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 855 -j DNAT --to > 10.0.0.50:443 ## HTTPS > > ### Routage des ports entrants pour la VM "comm" > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 22060 -j DNAT --to > 10.0.0.60:22 ## SSH > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 5222 -j DNAT --to > 10.0.0.60:5222 ## Jabber > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 5269 -j DNAT --to > 10.0.0.60:5269 ## Jabber > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 5280 -j DNAT --to > 10.0.0.60:5280 ## Jabber > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 5281 -j DNAT --to > 10.0.0.60:5281 ## Jabber > > ### Routage des ports entrants pour la VM "secure" > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 22070 -j DNAT --to > 10.0.0.70:22 ## SSH > > ### Routage des ports entrants pour la VM "net" > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 22080 -j DNAT --to > 10.0.0.80:22 ## SSH > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 8388 -j DNAT --to > 10.0.0.80:8388 ## shadowsocks > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p udp --dport 8388 -j DNAT --to > 10.0.0.80:8388 ## shadowsocks > $IPT -t nat -A PREROUTING -d XX.XX.XX.XX -p tcp --dport 11094 -j DNAT --to > 10.0.0.80:1194 ## OpenVPN > > ### Autorise les VMs a accéder a internet > $IPT -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE > > And this is what i have in syslogs : > > Aug 28 15:50:32 ovh-1 kernel: DROPED packets IN=enp1s0 OUT= > MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=YY.YY.YY.YY > DST=XX.XX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=2226 DF PROTO=TCP > SPT=9610 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 > Aug 28 15:50:32 ovh-1 kernel: DROPED packets IN=enp1s0 OUT= > MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=YY.YY.YY.YY > DST=XX.XX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=2227 DF PROTO=TCP > SPT=9610 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 > Aug 28 15:50:32 ovh-1 kernel: DROPED packets IN=enp1s0 OUT= > MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=YY.YY.YY.YY > DST=XX.XX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=2228 DF PROTO=TCP > SPT=9610 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 > Aug 28 15:50:32 ovh-1 kernel: DROPED packets IN=enp1s0 OUT= > MAC=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ:ZZ SRC=YY.YY.YY.YY > DST=XX.XX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=2229 DF PROTO=TCP > SPT=9610 DPT=80 WINDOW=0 RES=0x00 RST URGP=0 > > *** I've several hundred of similare line where only the ID change, then : > *** > > Aug 28 15:50:32 ovh-1 kernel: e1000e: enp1s0 NIC Link is Down > Aug 28 15:50:32 ovh-1 systemd-networkd[20998]: enp1s0: Lost carrier > Aug 28 15:50:34 ovh-1 systemd-networkd[20998]: enp1s0: Gained carrier > Aug 28 15:50:34 ovh-1 kernel: e1000e: enp1s0 NIC Link is Up 100 Mbps Full > Duplex, Flow Control: None > Aug 28 15:50:34 ovh-1 kernel: e1000e 0000:01:00.0 enp1s0: 10/100 speed: > disabling TSO > > The log show that the network is UP but the server is offline. > In the VM's logs i don't have abnormal things. > > OVH have changed the motherboard and the ethernet cable but the problem > still persist, the syslog show that it's probably a software problem. > > Do you have idea of what happen or a way to help me to debug this problem? > > Thank you in advance. > > Kevin > -- > > DAGNEAUX Kevin > Service informatique > 03 29 36 88 85 > kevin.dagne...@fiitelcom.fr >
